Which role can I give a co-worker that will allow them to add IP to allowlist?

I would like to add a co-worker to my cloudflare account, with the primary goal of them being able to allowlist IP addresses. Which role can I assign that will allow them to do that?

See the documentation on the different roles and their capabilities below.

I haven’t tested this myself… but looking at the documentation, it seems you have two options:

  1. If you have multiple domains in the account, but want your co-worker to do this for ONLY ONE domain, then the only option is to make the person a “Domain Administrator” for that specific domain.

Domain Administrator (Domain-Scoped role): Grants full access to (one or more) domains in an account, and read-only access to account-wide Firewall, Access, and Worker resources.

Of course, this grants them full access far beyond what you’re asking for, but their actions will be limited to just that single domain (and not the entire account).

  1. The second option is if you want the co-worker to do this for all domains in the account, then you’d use:

Firewall (Account-scoped role): Can edit WAF, IP Access rules, Zone Lockdown settings, and Cache Rules.

Note that this is an account-wide role, so the team member will be able to manage these firewall functions (and nothing else) for all domains in the account.

It’s currently not possible to scope the Firewall role to a single domain.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.